< Return to Video

Preferred_Debian_Packaging.webm

  • Not Synced
    Thank you very much.
  • Not Synced
    Thanks everybody for coming,…
  • Not Synced
    If you are packaging software and you want
    me to work on with you,
  • Not Synced
    this is how you can do that.
  • Not Synced
    It is a very self-??? talk:
  • Not Synced
    I just want to explain some of the things
    that I like,
  • Not Synced
    some practice that I prefer about Debian
    packaging,
  • Not Synced
    and I don't pretend this is any sort of
    official,
  • Not Synced
    permanent or final thing.
  • Not Synced
    I just wanted to share some ideas that I
    have about the way that I work with
  • Not Synced
    packages, in the hope that maybe, hmm,
    for two hopes:
  • Not Synced
    One is that I hope that I can show you
    something that you have not heard of,
  • Not Synced
    or maybe you were doing differently,
  • Not Synced
    or maybe you think it is the right think
    to do and it is just nice to see somebody
  • Not Synced
    somebody else doing it.
  • Not Synced
    My second hope is that you can tell me
    what I am doing wrong,
  • Not Synced
    and you can help me learn and improve
    on my own packaging techniques.
  • Not Synced
    If you see something that I am proposing
    up here,
  • Not Synced
    and you think there is a problem with it,
    I would like to hear about it too.
  • Not Synced
    I just want to see more of the culture
    within Debian,
  • Not Synced
    of people who are doing packaging,
    explaining what they are doing,
  • Not Synced
    and so I thought I would just step up and
    explain:
  • Not Synced
    "Here is some of the practice that I do",
  • Not Synced
    In the hope that other people will do the
    same and explain what they are doing,
  • Not Synced
    and maybe they can learn from me and
    I can learn from them.
  • Not Synced
    Without much further ????, I am just going
    to dive into it.
  • Not Synced
    If you have questions, I am perfectly
    happy to be interrupted,
  • Not Synced
    we have some folks with walking mics
    in the crowd:
  • Not Synced
    you can just raise your hand.
  • Not Synced
    I you have got a question or an
    interruption or whatever,
  • Not Synced
    that is fine.
  • Not Synced
    I ??? I got the whole 15 minutes,
    I think there are 20 minutes,
  • Not Synced
    I ??? the whole time, so there will be
    also time for questions at the end
  • Not Synced
    if you prefer.
  • Not Synced
    But I do not mind being interrupted.
  • Not Synced
    So, this is all on this web page here,
  • Not Synced
    you could probably skip this talk and go
    read the web page,
  • Not Synced
    but then you would not have the nice
    ??? actions,
  • Not Synced
    and it is easier to tell me that I am
    wrong in person,
  • Not Synced
    so I would like to have that happen.
  • Not Synced
    I put this up on the Debian wiki,
  • Not Synced
    because I want anyone to be able to find
    it.
  • Not Synced
    If you thing you have got some good ideas,
    you should put it on the Debian Wiki too:
  • Not Synced
    other people can take advantage of the
    ideas that you have got.
  • Not Synced
    First baseline is: I really like revision
    control.
  • Not Synced
    And I know that it makes me a certain
    flavor on nerd,
  • Not Synced
    but when we are working with things that
    are as complicated as software packages,
  • Not Synced
    hmmm, I think a lot of people don't get
    that in Debian we are not just working on
  • Not Synced
    one software package:
  • Not Synced
    you are actually probably, if you are doing
    a responsibly work,
  • Not Synced
    on at least two software packages, and
    maybe 5.
  • Not Synced
    So you have got the version that is
    unstable and you have got
  • Not Synced
    the version that you try to maintain for
    stable as well.
  • Not Synced
    And we are committing to doing maintenance
    work.
  • Not Synced
    A lot of our work in the project is ???
    in nature:
  • Not Synced
    we want to clean up the mess and we want
    us to stay out of the way and
  • Not Synced
    to make sure things work, functionally,
  • Not Synced
    for people who are relying on the
    operating system to not get in their way.
  • Not Synced
    So revision control I think is really
    helpful because it means you can
  • Not Synced
    keep track of what changes you have done
    on different branches of the project
  • Not Synced
    while you are maintaining both of them.
  • Not Synced
    Basically, ??? require working with
    the revision system I am comfortable with,
  • Not Synced
    I prefer Git, I am not going to have a
    religious word about it.
  • Not Synced
    If upstream uses Git, I am even happier,
    and I try to make my packaging depend on
  • Not Synced
    upstream's revision control.
  • Not Synced
    I like to use 'git-buildpackage', and I
    like to use it with debhelper.
  • Not Synced
    If you have not tried out
    'git-buildpackage',
  • Not Synced
    we are going to have a
    'git-buildpackage' skill share session
  • Not Synced
    later on today actually, and I welcome
    you to come and share your tricks with it,
  • Not Synced
    or learn some tricks from other people.
  • Not Synced
    It is a particular way that you can keep
    your Debian packaging in a Git repository,
  • Not Synced
    and it helps you to keep track of all of
    the changes that ave happened within
  • Not Synced
    your packaging and within upstream to
    make sure you are not accidentally
  • Not Synced
    making other changes.
  • Not Synced
    So it is very easy to go back and review
    what you have done.
  • Not Synced
    I find that really useful.
  • Not Synced
    I definitely also like to keep upstream's
    source code in the same revision control
  • Not Synced
    system.
  • Not Synced
    I like to keep the tarballs in the
    revision control system because it means
  • Not Synced
    that if someone is interested, they can
    uses a tool called 'debcheckout'.
  • Not Synced
    You can use 'debcheckout' with a name of
    a package:
  • Not Synced
    you say just "I am really interested in
    package 'foo',
  • Not Synced
    let me see the source code for that":
  • Not Synced
    debcheckout foo
  • Not Synced
    You get the source code, and you get the
    source code from a revision control
  • Not Synced
    system that you can now track and you
    can just propose changes on.
  • Not Synced
    You can also extract the tarball from that
    revision control system.
  • Not Synced
    'debcheckout' actually works even if you
    do not have upstream stuff in there,
  • Not Synced
    but I like to keep it all in one revision
    control system,
  • Not Synced
    it is just easier to find everything when
    you want.
  • Not Synced
    Some of these things that I prefer have
    to do with what the upstream software
  • Not Synced
    developer has done, so I am less inclined
    to try the package an upstream software
  • Not Synced
    project if they just throw tarballs here
    over the wall to an FTP side
  • Not Synced
    every now and then.
  • Not Synced
    It makes it more difficult for me to know
    what they are doing,
  • Not Synced
    and why they are doing it.
  • Not Synced
    So i like it, I have already said, when
    upstream uses Git,
  • Not Synced
    I also like when upstream signs their
    releases,
  • Not Synced
    and say "hey, this is specific release",
  • Not Synced
    Because that is a signal that I can use,
    or somebody else that understands the
  • Not Synced
    project: as said "we think that this
    something that other people can use",
  • Not Synced
    or "this is a particular version we would
    like other people to test".
  • Not Synced
    There are a lot of other situations where
    maybe it is not so important.
  • Not Synced
    And having that be cryptographically
    signed is really useful.
  • Not Synced
    I care about cryptographic signature on
    software because I want to know that
  • Not Synced
    what I am running is related to the code
    that somebody else out should be run.
  • Not Synced
    And if you don't verify your software
    cryptographically, anyone could
  • Not Synced
    intercept the network connection
    between you and that software,
  • Not Synced
    and modify the software before it gets
    to you.
  • Not Synced
    And the cryptographic signature just says:
  • Not Synced
    "look, this is a version that I am OK
    with. I am putting it out there and
  • Not Synced
    it comes from me".
  • Not Synced
    And so I can have a trace back to that
    point.
  • Not Synced
    ??? just talk about briefly about how you
    do cryptographic verification of upstream.
  • Not Synced
    You might know upstream: you might know
    them personally, you know their key
  • Not Synced
    already, that is fine.
  • Not Synced
    That is not the usual case: we work on
    the Internet.
  • Not Synced
    In the situation where your upstream is
    signing their tarballs
  • Not Synced
    and you have not met them, you do not
    have to sign their key,
  • Not Synced
    you do not have to say "I announce this
    is their key".
  • Not Synced
    This is probably the same one that is
    signing every release,
  • Not Synced
    so you should keep track of that.
  • Not Synced
    Debian has a nice way to keep track of
    that:
  • Not Synced
    you can tell Debian how to find the new
    version of the upstream tarball.
  • Not Synced
    This is in the Debian 'watch' file.
  • Not Synced
    If you type 'man uscan', you can learn
    more about Debian 'watch',
  • Not Synced
    and Debian 'watch' has now a feature that
    lets you say
  • Not Synced
    "that is not only this way you find the
    tarball,
  • Not Synced
    but upstream publishes signatures
    and the signatures look like this".
  • Not Synced
    You know, they got a '.sig' at the end.
  • Not Synced
    So there is a particular arcane way to
    specify that, but if you specify that,
  • Not Synced
    then 'uscan' can find not only the
    upstream tarball but can find the
  • Not Synced
    upstream signature and, if you drop
    upstream's signing key -
  • Not Synced
    which of course I did not put on the wiki
    page, someone should add it that and
  • Not Synced
    fix it - you can put the upstream signing
    key in 'debian/upstream/signing-key.asc'.
  • Not Synced
    And then if you do that, when you say
    'uscan', you can tell…
  • Not Synced
    Maybe some people here do notk
    now how to use 'uscan'.
  • Not Synced
    'uscan' is a very simple tool,
    you run it from a software package that
  • Not Synced
    has a 'debian' directory, or even one
    level up if you keep all of your software
  • Not Synced
    packages in one folder. You can go one
    level up and say 'uscan', and it will look
  • Not Synced
    in all of the folder that are children
    of it, and look for new version by
  • Not Synced
    trying to find for new upstreams versions
    in 'debian/watch'.
  • Not Synced
    And if you have configured 'debian/watch'
    properly, it can find the new upstream
  • Not Synced
    signatures, and if you have got the
    'upstream/signing-key.asc', then
  • Not Synced
    it will actually verify the signature for
    you as part of fetching the new
  • Not Synced
    upstream tarball.
  • Not Synced
    So you can get all of those things just
    by setting ???? that way.
  • Not Synced
    There is a hand up down there, could we
    get the mic down to the hand ?
  • Not Synced
    Or to the person who has that hand, it is
    not just a hand. [public laugh]
  • Not Synced
    [someone] Publish a tarball and a hash, '.sha1',
    and sign that hash, '.sha1.asc'.
  • Not Synced
    Can 'uscan' cope with this and check the
    signature on the hash and that the hash
  • Not Synced
    belongs to that tarball ?
  • Not Synced
    [Daniel] I do not believe that 'uscan' can
    do that currently. So anybody out there
  • Not Synced
    who wants to make things better for the
    world should go hack on 'uscan':
  • Not Synced
    that is a pretty straightforward thing
    that we should fix because I agree
  • Not Synced
    that is common pattern.
  • Not Synced
    [someone] I have no answer to this
    question by I have another question:
  • Not Synced
    how do you convince upstreams who do
    not release tarballs or who do
  • Not Synced
    not set tags in Git ?
  • Not Synced
    [Daniel] Who do not make tags in Git ?
  • Not Synced
    [someone] Yes, if there is no tags you
    can not check out a tarball.
  • Not Synced
    Is there any good way to convince
    upstream to do this ?
  • Not Synced
    [Daniel] Git has this nice feature, which
    is that you can create a tag,
  • Not Synced
    which is associate with a particular
    revision,
  • Not Synced
    and you would like to have a tag
    everywhere that a tarball has been
  • Not Synced
    released from. I am tempted to pull up
    a Git view and show people some tags.
  • Not Synced
    The question that you ask is a social
    one, not just a technical one,
  • Not Synced
    and I actually find that my upstreams
    are pretty responsive.
  • Not Synced
    Usually I frame my request as "hey, it
    looks like you made this tarball from
  • Not Synced
    this particular commit 'id'. If you could
    tag you releases, it would be really
  • Not Synced
    helpful to me, and here is the command
    that I would use to tag the release".
  • Not Synced
    And I say "git tag…" and of course I
    can never remember so first I look it up,
  • Not Synced
    but it is either 'tag name' 'commit id' or
    'commit id' 'tag name'.
  • Not Synced
    But I would look it up and I would write
    the e-mail so that all they have to do is
  • Not Synced
    they read it, understand my argument,
    and execute one command.
  • Not Synced
    And then it starts them ??????
  • Not Synced
    And if you say 'tag -s' then your tag will
    be cryptographically signed, which
  • Not Synced
    I think is a really good thing to do too.
  • Not Synced
    So, cryptographic verification of
    upstream.
  • Not Synced
    As I said, I want to keep upstream's code
    in the revision control system.
  • Not Synced
    I also like to keep…
  • Not Synced
    In my ideal case upstream is using Git:
    I am using Git for packaging.
  • Not Synced
    I actually like to keep upsteam's Git
    history fully in my repository,
  • Not Synced
    so that I do not just have the tarballs,
    but I actually have all of their commits.
  • Not Synced
    And that turns out to be really useful
    for two specific cases:
  • Not Synced
    In one case, there is a common scenario
    where upstream will fix a bug,
  • Not Synced
    but they have not made a release yet.
  • Not Synced
    And that bug is really, really obviously
    problematic for the folks who are
  • Not Synced
    using Debian, so want to fix it.
  • Not Synced
    All I can do, because I have their full
    revision history, I can use Git to "cherry
  • Not Synced
    pick" the upstream commit.
  • Not Synced
    And then I "cherry pick" that upstream
    commit and I can have it applied
  • Not Synced
    separately and release an Debian version
    that has the fix, even before upstream
  • Not Synced
    has made a release with the fix.
  • Not Synced
    So one nice thing about having upstream
    revision is that I can pull fixes from
  • Not Synced
    upstream before they decided
    to release it.
  • Not Synced
    The other advantage is the other
    way around.
  • Not Synced
    Often when I am doing packaging,
    I discover a problem,
  • Not Synced
    and maybe I can fix the problem.
  • Not Synced
    And if that maybe I am already shipping
    a Debian package that fixes the problem.
  • Not Synced
    If my Debian fixes can be directly applied
    to upstream, then I can use whatever
  • Not Synced
    they
Title:
Preferred_Debian_Packaging.webm
Video Language:
English
Team:
Debconf
Project:
2015_debconf15

English subtitles

Revisions Compare revisions